Data Theft - Where TalkTalk and others go wrong and how to beat hackers

We wanted to take 5 minutes to stop and write a little bit about how to defeat hackers and keep them away from doing harm to customer’s details. It comes in the aftermath of the fallout of the TalkTalk failures and for us to show how keeping customers details isn’t hard at all – it’s actually pretty easy. Notice however we said safe – not out of hacker’s hands because there is a difference.

Our Background

Quick Loans has operated in financial services for many years and we take a keen interest in customer security and keeping out customers. We realise that one slip could potentially end our business. We don't often talk about our methods for obvious reasons but this time we thought we'd share our procedures so that others can view, copy, improve or even criticise what we have been doing for the last few years.

What is our solution?

Let’s just quickly get to the point of this article instead of expecting busy people to sit here and listen to our detailed reasoning, we go into that later. Here is the shortened version.

Expect hackers to get into your system, create at least 5000 fake customer accounts for every single real customer on the database. This will make the data they get unusable and worthless.

Reasoning

Stopping hackers getting in is impossible, sorry to break that feeling of invincibility to people out there who think their businesses are safe. Sure as a business you should – it is your legal duty - take all reasonable steps to stop someone getting in and make it as hard possible for hackers to get mass information out. We expect all businesses to do that, we do ourselves. The fact of the matter is that there are 8 billion people on this planet. There is no way you can ever know what new techniques one of them is going to come up with to find an exploit in your system. Even if it is not a hacker, it could be a staff member that tries to move data outside of the business.

Always work on the assumption that your customer’s data will be obtained. By doing this you are taking control of things, rather than hoping that boy genius hacker from some dark corner of the planet doesn't target you – you can’t do anything about them.

Understanding the hackers, the data and why they do it

Without taking a look at TalkTalk’s database I know that they have a customer called Steven, I know they have a customer with the surname Smith. I know that they have a customer born on the 1st of June.

I know this is because of probability - me knowing this is off course no value to anyone – that’s the point I’m getting at. Probability is the friend of the business and the enemy of the hacker. What companies like TalkTalk and other companies do is move away from probability by storing each of their customer’s details together in one place – under an account number. By doing this the hacker then connects these snippets and knows that they have a customer called Steven Smith born on the 1st of June. This is where it becomes valuable to the hacker, because he or she is able to put a picture of the customer.

What you have to do as a business is move back towards probability when it comes to your customers data

Here is how

There are ways to fragment your customers data, across accounts or even multiple databases. There is no rule that says you have to keep one customers account on one database. It’s costly and complicated so I don’t really want to go into it here but it can be done. There is a better way.

By randomly creating 5,000 (more the better but 5,000 is an example for this article) fake accounts for every real account, you are moving back from factual customer details to probable ones. The hacker has no idea which account is real or fake, no computer software or algorithm will ever be able to tell them that. The fake accounts can be updated with fake updates to make them look real, like they are active in the same way other accounts are. We’ve worked out ways how to do this but for this article it isn’t important.

What does this do to fraudsters and hackers

According to some there are black markets online where criminals exchange these hacked details. The going rate seems to be around $10 a time, I’ve no idea if that is true but it doesn’t really matter. By creating 5,000 fake accounts you have at least just took his $10 and made it 5000 times less valuable to anyone.

Digging out the calculator for a second, that is $10 divided by 5000 = $0.002. The major point here though is that this customer’s details are now worth 200 times less to the criminals than getting a job at McDonald’s.

Starting to see where this is going yet?

You are now getting into the head’s of hackers, and without firewalls or security guru’s at £10,000 an hour giving speeches - you are now making hacking your system pointless from a financial point of view.

Other benefits

Use it as an early alert method. You can use fake accounts with details of people that would not exist except in your database and monitor them for credit checks with agencies like Experian or Equifax. If you get notified of checks against these accounts then you will know someone is in your system, simply because those people don’t exist anywhere else.

You can do the same with credit card numbers matched with those fake accounts. Mastercard and Visa should work with you if you are a big organisation to check to see if someone is trying to use these fake details.

One other big benefit is the amount of data leaving your system for every real account theft has just been multiplied 5,000. This means that in a normal database, something like for example 1mb of data needs to be moved for each customers details being stolen. Under our method, that is now 500mb of data that needs to leave your system for every real user. This amount of data leaving in batches of 100 at a time should certainly set of alarm bells at even the most modest of security conscious firms.

These things are all early warning indicators being multiplied 5,000 times in strength.

Fake accounts, how do you tell which is real?

OK as a business you will need to know which accounts are real and fake because you will need to do financial reporting etc.

What we have done is tohave setup a separate database (database 2) that isn’t connected to the outside world. All this holds is the real account numbers - not customer data. This knows which account numbers in database 1 are real. It will only run reports using the real customer accounts; the fake ones don’t exist to (database 2) and it just simply ignores them.

As database 2 is not connected to the internet, it can’t be hacked from the outside. The best way to think about the way we hold our data is to almost sort it like a terrorist cell. If one part gets compromised then the rest isn’t affected.

Costs

We estimate that the costs of storing all this extra data runs us to a cost of no more than £3000 to host and generate around 600m fake accounts. Ongoing costs are around £1000 a year.

£3,000 – it would cost more than that for a 2 hour speech from a security expert.

Conclusion

Obviously we haven’t gone in to massive details about this because the full setup would take up about 30 pages of content; however the main points are there. We urge businesses to do what we do and accept that hackers can and will get in if they fire off enough resources at getting into your system. Move to what to do when they get in and how to make the data worthless to anyone else but you. There are other methods such as encryption which help but those come with their own issues.

If you take one thing from this article it should be this. Take control of things you can affect, whether or not they can get in is ultimately out of your hands – unless you designed the router, the operating system, the server ports, the password system, the caching system etc – and you were perfect at all of them first time.

There is nothing new in what we are saying, it’s a method that is at least over 70 years old.

Remember what Churchill said:

“Truth is so precious that she should always be attended by a bodyguard of lies”

Graeme Wingate

Director

Quick Loans

Feel free to chat to us via Twitter or the comments section below. No, this article isn't a pitch for work or consultancy anywhere in the security business - we have enough work here thanks.